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quite  simple,  and  predominantly  involved  guessing  passwords  and  subsequent 
installation  of  keyboard  loggers.  That  suggests  that  countermeasures  can  be 
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I.  INTRODUCTION 


On  December  19,  2013,  the  Target  department  store  chain,  the  second- 
largest  retailer  in  the  United  States,  announced  in  a  press  release  that  hackers 
had  exfiltrated  approximately  forty  million  credit  and  debit-card  numbers,  from 
November  27  through  December  15,  2013  (Target,  2013).  The  criminals 
transferred  the  stolen  data  to  a  server  in  Russia  (Raff,  2014). 

Since  the  initial  news,  there  have  been  numerous  postings  and 
announcements  from  Target,  security  blogs,  and  security  research  companies 
regarding  the  intrusion.  Although  the  specific  details  are  still  unfolding  as  of  the 
writing  of  this  thesis,  there  has  been  significant  attention  focused  on  Target’s 
point-of-sale  terminals,  the  locations  where  customers  physically  swipe  their 
credit  or  debit  cards  for  payment. 

The  Target  network  intrusion,  and  the  subsequent  news  that  the  Nieman 
Marcus  retail  chain  suffered  a  similar  hack  (Krebs,  2013;  Krebs,  2014,  January 
10),  has  brought  national  attention  to  point-of-sale  systems  and  the  potential  for 
significant  fraud  due  to  compromised  payment  card  information.  On  February  04, 
2014,  high-level  executives  from  Target  and  Nieman  Marcus  prepared  written 
testimonials  in  advance  of  several  congressional  hearings  on  retail  data 
breaches  the  week  of  February  05,  2014  (Associated  Press,  2014;  United  States 
Senate,  2014). 

While  the  Target  data  breach  attracted  significant  national  attention  due  to 
the  magnitude  of  the  data  losses,  the  compromise  of  credit  and  debit  card 
numbers  due  to  network  intrusions  of  point-of-sale  systems  has  been  a  problem 
for  several  years.  Trustwave,  an  incident  response  and  security  research 
company,  identified  point-of-sale  system  malware  as  far  back  as  July  2008 
(Percoco,  Sheppard,  &  Ilyas,  n.d.).  Much  of  the  discussion  among  Congress,  the 
Federal  Trade  Commission,  the  retail  industry,  and  security  experts  has  focused 
on  two  areas:  whether  the  United  States  should  move  to  the  chip-and-personal 
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identification  number  (PIN)  system  used  in  other  parts  of  the  world,  and  whether 
Congress  should  pass  a  federal  data  breach  notification  law  that  would  require 
businesses  to  notify  customers  if  card  data  had  been  compromised  (Hans,  2014). 

These  two  suggestions — a  Chip-and-PIN  system  and  a  federal  data 
breach  law — will  do  nothing  to  address  the  question  of  why  hackers  so  easily 
breach  point-of-sale  systems.  Chip-and-PIN  systems  will  make  it  more  difficult  for 
criminals  to  manufacture  counterfeit  payment  cards,  and  therefore  may  remove 
some  of  the  incentive  for  criminals  to  attempt  point-of-sale  system  intrusions,  but 
moving  to  such  a  system  will  not  prevent  point-of-sale  intrusions  themselves. 
Although  law  enforcement  agents  and  forensic  specialists  are  still  investigating 
the  Target  intrusion,  the  latest  public  information  suggests  that  hackers  infiltrated 
the  Target  network  using  network  credentials  stolen  from  a  company  contracted 
by  Target  to  manage  the  latter’s  climate  control  (HVAC)  systems  (Krebs,  2014 
February  6). 

A.  PROBLEM  STATEMENT 

Congressional  testimony  concerning  the  recent  data  breaches  against 
Target  and  Neiman  Marcus  has  brought  much  needed  focus  and  attention  on  the 
problem  of  payment  card  security  throughout  the  retail  industry  (Douglas,  2014). 
Members  of  Congress  and  corporate  executives  have  suggested  migrating 
toward  a  more  secure  PIN-and-Chip  card  system  and  passing  Federal  legislation 
concerning  data  breach  notifications  and  consumer  protection  (Associated  Press, 
2014).  Data-breach  notification  laws  have  their  own  intrinsic  value,  but  if  stronger 
information  security  practices  reduce  the  number  and  impact  of  point-of-sale 
system  intrusions,  there  will  be  less  of  a  need  for  data-breach  notification  laws. 

B.  PURPOSE  OF  STUDY 

The  Department  of  Homeland  Security,  in  its  Quadrennial  Homeland 
Security  Review  Report,  listed  several  departmental  goals  (Department  of 
Homeland  Security,  2010).  Among  these  are  “Create  a  Safe,  Secure,  and 
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Resilient  Cyber  Environment”  and  “Promote  Cybersecurity  Knowledge  and 
Innovation”.  Within  the  Department  of  Homeland  Security,  the  United  States 
Secret  Service  shares  jurisdictional  authority  to  investigate  network  intrusions 
against  point-of-sale  systems  (18  U.S.  Code  §  1030).  The  U.S.  Secret  Service 
works  closely  with  private  forensics  firms  and  other  law  enforcement  agencies  to 
develop  forensic  knowledge  and  techniques  related  to  point-of-sale  system 
breaches.  By  analyzing  criminal  investigations  into  point-of-sale  systems,  this 
information  will  equip  the  Department  of  Homeland  Security  to  improve  public 
awareness  efforts  toward  securing  point-of-sale  systems.  We  have  an  additional 
goal  of  advancing  the  discussion  of  and  research  into  forensic  tools  and 
techniques  in  support  of  point-of-sale  system  criminal  investigations. 

C.  LIMITATIONS 

In  conducting  research  and  analysis  on  the  subject  of  point-of-sale  system 
data  breaches,  we  encountered  several  limitations: 

•  There  were  no  reliable  statistics  regarding  how  many  criminal 
intrusions  have  taken  place  targeting  retail  point-of-sale  systems. 
For  similar  reasons,  there  are  no  specific  data  regarding  actual 
fraud  losses  to  financial  institutions,  retail  establishments,  and 
consumers. 

•  To  protect  the  integrity  of  active  investigations  and  the  privacy  of 
victims,  only  aggregated  data  will  be  discussed.  Specific  case 
studies  will  be  limited  to  those  with  publicly  released  judicial 
documents. 

•  In  some  cases  used  to  supply  the  aggregate  data,  specific  items 
such  as  the  name  and  characteristics  of  malware  used  were  not 
available.  In  some  cases,  for  example,  the  victim  or  point-of-sale 
system  vendor  performed  a  cleanup  of  the  system  thus  eliminating 
evidence. 

D.  METHODOLOGY 

This  thesis  will  evaluate  several  notable  point-of-sale  data  breaches  based 
on  publicly  available  information,  including  publicized  attacks  against  the  Subway 
sandwich  chain  and  the  recent  theft  of  card  data  from  Target  and  Neiman 
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Marcus.  It  will  examine  open-source  documents  illustrating  the  trans-national 
criminal  element  of  online  card  data  compromises.  Finally,  it  will  reference  a 
variety  of  data  breach  studies,  both  point-of-sale-specific  and  not,  from  major 
forensic  firms  including  Trustwave  and  Verizon. 

To  develop  insight  into  individual  data  breaches,  this  thesis  examined 
forty-two  active  and  recently  closed  criminal  investigations  by  agents  of  the  U.S. 
Secret  Service.  Our  goal  in  performing  these  case  studies  was  to  determine  if 
there  were  specific  trends  related  to  the  nature  of  the  point-of-sale  system 
intrusion  (i.e.,  how  did  the  hackers  break  in),  the  hacking  exploits  or  malicious 
code  used,  the  duration  of  the  attacks,  and  how  the  intrusion  was  discovered. 

Finally,  as  a  model  for  a  potential  mitigation  strategy  for  the  problem  of 
point-of-sale  system  intrusions,  the  thesis  gives  specific  recommendations  for 
securing  systems  and  maintaining  good  security  practices.  It  also  reviews  an 
ongoing  successful  federal  crime-prevention  program  that  may  serve  as  a  model 
for  a  similar  effort  to  reduce  point-of-sale  system  intrusions  through  public 
education. 
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II.  REVIEW  OF  LITERATURE 


Point-of-sale  systems  typically  include  one  or  more  terminals,  a  back-of- 
house  server,  and  a  connection  to  the  Internet  or  to  a  corporate  network.  The 
terminals  usually  consist  of  a  standalone  card  terminal  (common  in  supermarkets 
and  department  stores,  for  example)  connected  to  a  computer,  or  a  card  terminal 
connected  to  a  touch-screen  monitor  (common  in  restaurants  and  bars,  for 
example).  These  terminals  read  the  track  data  from  cards  and  forward  the 
information  to  a  back-of-house  server.  The  back-of-house  server  collects  card 
data  from  the  merchant’s  terminals  and  relays  it  to  a  payment  processor  for  card 
approval  or  denial.  Larger  corporations  may  use  a  different  configuration  in  which 
card  data  is  sent  through  a  corporate  office  before  it  reaches  a  payment 
processor.  Point-of-sale  systems  include  card  reading  hardware  (i.e.,  the 
terminals)  and  software  to  read  data  and  forward  the  data  to  card  processors. 
Most  point-of-sale  systems  for  small  and  medium-sized  businesses  use  standard 
Microsoft  Windows  desktops  to  run  the  terminals,  and  use  a  Windows  server  as 
the  platform  for  the  back-of-house  server.  Figure  1  illustrates  two  common  point- 
of-sale  system  topologies,  the  first  for  a  small  business  and  the  second  for  a 
larger  corporation  (Trustwave,  2014). 
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A.  POINT  OF  SALE  SYSTEMS  AND  ATTACKS 

Point-of-sale  system  attacks  are  new  in  terms  of  published  books  and 
professional  literature,  but  there  has  been  some  prior  work  assessing  specific 
threats. 

Hizver  and  Chiueh  performed  an  analysis  of  point-of-sale  systems 
software  processes  on  a  Windows  server  in  a  virtual  environment  (Hizver  & 
Chiueh,  2012).  The  authors  showed  that  once  the  memory  locations  of  the 
processes  were  located,  a  random  access  memory  tool  could  simply  search  for 
ASCII  strings  consistent  with  credit  card  numbers;  that  is,  13-  or  16-digit  strings 
beginning  with  certain  digits  (e.g.,  a  4  for  a  Visa  or  a  5  for  a  MasterCard).  This  in 
fact  is  the  premise  behind  memory  scraping  malicious  code. 

Venter  et  al  describe  a  suite  of  malware  files  that  currently  exist  in  the  wild 
including  “ramsys32.sys,”  a  malware  controller  application  known  as 
“loader.exe,”  and  a  dynamic  link  library  called  “searcher.dll”  (Ventner,  Sheppard, 
&  Percoco,  2010).  The  authors  explain  how  these  three  malicious  files  work 
together  to  scan  for  and  copy  out  card  track  data  once  such  data  appears  in 
memory.  “Searcher.dll”  appears  in  numerous  cases  examined  in  Chapter  IV. 

Bowles  et  al.  propose  a  method  for  exploiting  point-of-sale  system  PIN 
entry  devices  (Bowles,  Cuthbert,  &  Stewart,  2005).  Their  analysis  focuses  on 
physical  attacks  against  such  devices,  as  for  example  inserting  a  hardware  or 
software  sniffer  inside  the  point-of-sale  and  PIN  hardware.  The  Michaels  craft 
store  chain  suffered  such  an  attack  against  their  physical  point-of-sale  and  PIN 
devices  in  2011  (Krebs,  2011). 

Many  small  businesses  rely  on  a  point-of-sale  system  vendor  to  perform 
technical  updates  or  repairs.  In  order  to  provide  real-time  customer  support, 
especially  during  non-business  hours,  some  point-of-sale  system  vendors  install 
a  remote  desktop  environment  (RDE)  product  on  the  business’s  point-of-sale 
system.  Many  hackers  who  target  point-of-sale  systems  begin  by  gathering  a  list 
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of  common  network  ports  associated  with  well-known  remote  desktop  products. 
For  example,  PC  Anywhere  typically  runs  on  TCP  port  5631  or  65301  for  data, 
and  UDP  port  22  or  5632  for  status  transmissions.  Hackers  will  scan  IP 
addresses  connected  to  restaurants  or  businesses,  looking  for  indications  that 
those  ports  are  open.  Port  scanning  is  a  long  established  technique,  and  the  pre¬ 
eminent  tool  for  port  scanning  is  Nmap.  There  are  many  options  available  for  the 
Nmap  tool  (Lyon,  2008). 

B.  NONVOLATILE  FORENSIC  ARTIFACTS 

For  point-of-sale  system  intrusions,  investigators  focus  on  a  variety  of 
volatile  and  non-volatile  forensic  clues.  In  general,  volatile  artifacts  are  those 
elements  that  are  in  main  memory  and  will  disappear  if  the  network  connection  is 
lost  or  if  the  affected  machine  is  restarted.  Non-volatile  forensic  artifacts  are 
those  items  that  are  typically  written  to  disk,  such  as  a  file  or  Windows  Registry 
key.  In  general.  Secret  Service  best  practices  call  for  agents  to  acquire  both 
kinds  of  forensic  data-  if  the  circumstances  of  the  investigation  allow  for  such 
collection. 

In  non-volatile  forensic  data  collection,  an  important  focal  point  is  the 
Windows  Registry,  which  is  a  large  collection  of  user  and  system  settings.  Many 
types  of  malware  used  in  point-of-sale  system  intrusions  leave  or  modify  one  or 
more  identifiable  keys  in  the  Windows  Registry. 

Carvey  proposes  a  method  for  analyzing  volatile,  semi-volatile,  and 
archived  information  on  Microsoft  Windows-based  computers  (Carvey,  2012).  A 
number  of  Garvey’s  techniques,  for  example  acquiring  and  analyzing  the 
Windows  Registry  hives  from  the  live  machine,  are  particularly  useful  for 
analyzing  compromised  Windows  based  point-of-sale  terminals  (the  terminals 
where  employees  place  orders  and  swipe  cards  for  processing)  and  back-of- 
house  servers  (typically  a  server  that  transfers  card  data  and  approval 
information  between  the  terminals  and  external  payment  networks)  (Carvey, 
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2011).  Many  forms  of  malware  used  in  point-of-sale  system  intrusions  leave 
specific  traces  in  Registry  keys,  and  Garvey’s  techniques  for  Registry  hive 
acquisition  and  analysis  work  well  with  these  types  of  investigations. 

The  most  common  approach  to  malware  detection  relies  on  identifying 
suspicious  files  by  comparing  the  checksum  (many-to-one  mapping)  of  a 
questionable  file  against  a  list  of  known  checksums  linked  to  known  malware. 
Comparing  checksums  is  a  simple  task  that  can  be  performed  with  a  variety  of 
command  line  or  graphical  user  interface  tools.  Since  most  point-of-sale  systems 
use  standard  commercial  software,  including  underlying  operating  systems, 
checksum  verification  tools  can  easily  be  installed  and  configured  on  point-of- 
sale  systems  to  monitor  for  malicious  code  with  known  checksum  values.  This 
technique  is  limited  against  new  (zero-day)  exploits  for  which  checksums  of  the 
malicious  code  will  not  be  available. 

Ligh  et  al.  propose  a  number  of  additional  techniques  for  analyzing  files, 
Windows  registry  keys,  and  memory  captures  for  indications  of  malicious  code 
infection  (Ligh  et  al.  2011).  Their  analysis  of  malware-laced  documents  (e.g., 
Adobe  pdf  files,  Microsoft  Office  documents)  is  beneficial  due  to  the  fact  that 
some  point-of-sale  system  users  conduct  non-business  Internet  activities  (e.g., 
checking  email  or  browsing  Web  sites)  on  point-of-sale  terminals,  and  thus  are 
potential  targets  for  phishing  or  other  forms  of  social  engineering. 

C.  VOLATILE  FORENSIC  ARTIFACTS 

Common  examples  of  volatile  data  are  the  contents  of  random-access 
memory  (RAM),  running  processes,  and  active  network  information.  Information 
regarding  active  processes  and  network  information  can  be  obtained  from  a 
series  of  simple  command  line  tools  (e.g.,  the  netstat  command),  but  memory 
(RAM)  capture  files  may  include  additional  information,  such  as  hidden 
processes  and  remnants  of  terminated  network  data. 
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Okolica  and  Peterson  propose  a  method  for  analyzing  Windows  based 
memory  samples  for  information  regarding,  among  other  things,  running 
processes  (Okolica  &  Peterson,  2010).  Garvey  and  Ligh  demonstrate  the  value  of 
studying  active  processes  on  a  potentially  infected  or  compromised  Windows 
machine  (Garvey  2012;  Ligh  et  al.,  2011).  Point-of-sale  system  malicious  code 
may  initiate  one  or  more  running  processes  on  the  infected  system  (hidden  or 
not),  therefore  these  techniques  may  assist  investigators. 

Hejazi  et  al  describe  a  method  of  “application  fingerprinting”  to  extract 
information  beyond  string  pattern  matching  and  plain  text  information  such  as 
processes  (Hejazi,  Talki  &  Debbabi  2009).  Furthermore,  they  explain  a  method 
for  studying  the  operating  system  call  stack  and  stack  frame  to  search  for  useful 
information  in  a  memory  capture.  This  method  could  be  useful  to  look  for 
indications  of  malicious  code  not  easily  identifiable  through  simple  string 
searches. 

Beverly  et  al  explain  a  method  for  extracting  network  packet  data  from 
memory  samples  (Beverly,  Garfinkel,  &  Cardwell,  2011).  Their  work  describes 
how  network  packet  artifacts,  such  as  Internet  Protocol  (IP)  addresses,  can  be 
recovered,  even  after  network  connections  have  been  terminated.  This  technique 
could  prove  valuable  if  stolen  card  data  has  recently  been  exfiltrated  (either 
manually  or  through  an  automated  process)  by  possibly  yielding  IP  addresses  or 
Domain  Name  Service  information. 

D.  NETWORK-BASED  ARTIFACTS 

A  survey  done  for  this  thesis  will  suggest  that  most  point-of-sale  system 
intrusions  use  fairly  simple  attack  methods  and  forms  of  malware.  Attacks 
generally  make  little  or  no  effort  to  hide  or  disguise  the  file  names  or  process 
names  of  their  malicious  code.  Nevertheless,  it  is  useful  to  study  network  packet 
captures  of  compromised  point-of-sale  terminals  to  analyze  indications  of 
unauthorized  card  data  transmissions.  Furthermore,  while  most  small  businesses 
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offer  few  opportunities  for  log-file  analysis  or  forensic  evaluation  of  routers  and 
network  switches,  there  are  useful  methods  involving  them. 

Chappell  provides  a  discussion  of  Wireshark,  the  most  popular  tool  for 
acquiring  and  analyzing  network  packets  (Chappell,  2012).  She  suggests  several 
security  related  scenarios  in  which  network  packet  captures  would  be  useful  for 
network  forensics,  such  as  when  an  infected  machine  sends  out  unauthorized 
data  or  attempts  to  contact  a  command  and  control  server.  In  some  forms  of 
point-of-sale  attacks  criminals  will  establish  an  automated  file  transfer  protocol 
(FTP)  or  simple  mail  transport  protocol  (SMTP)  service  that  will  automatically 
send  payment-card  collection  files  to  an  external  file  server  or  free  Webmail 
address. 
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III.  POINT  OF  SALE  SYSTEM  BREACHES:  A  HOMELAND 

SECURITY  PERSPECTIVE 


A.  PAYMENT  CARD  SYSTEM  COMPROMISES:  A  HISTORICAL 

PERSPECTIVE 

Despite  the  significant  number  of  credit  and  debit-card  accounts 
compromised  from  the  Target  point-of-sale  system  intrusion,  it  is  not  the  largest 
payment-card  data  breach  in  history.  That  dubious  distinction  belongs  to 
Heartland  Payment  Systems,  a  payment  processing  company  in  New  Jersey.  In 
January  2009,  Heartland  Payment  Systems  disclosed  that  hackers  had  broken 
into  their  network  and  stolen  millions  of  credit-card  numbers  (Acohido,  2009).  In  a 
federal  indictment  against  the  three  defendants,  the  United  States  government 
declared  that  hackers  had  compromised  130  million  credit  and  debit  card 
numbers  (U.S.  v.  Gonzalez).  Prior  to  the  Heartland  Payment  systems  breach,  the 
largest  card  theft  targeted  TJX,  parent  company  of  clothing  retailers  TJ  Maxx  and 
Marshalls.  Over  an  eighteen-month  period  in  2005  and  2006,  hackers  infiltrated 
the  TJX  point-of-sale  network  and  garnered  approximately  94  million  account 
numbers  (Berg,  Freeman,  &  Schneider,  2008). 

A  study  by  FICO,  a  company  that  specializes  in  financial  analytics  and 

credit  scores,  identified  point-of-sale  fraud  as  far  back  as  2001  (FICO,  2010).  In 

2005,  researchers  from  the  Electronic  Warfare  Association-Canada  published  a 

paper  describing  physical  attack  scenarios  against  magnetic  stripe-based  point- 

of-sale  system  terminals  (Bowles,  Cuthbert,  &  Stewart,  2005).  In  2008,  the 

incident  response  company  Trustwave  published  a  report  indicating  that  point-of- 

sale  system  hackers  were  shifting  tactics  away  from  data  at  rest  attacks  (e.g., 

SQL  Injection  attacks  or  “smash  and  grab”  attacks,  in  which  an  intruder  breaks 

into  a  network  to  steal  one  or  more  flat  files  containing  payment-card  data) 

toward  data-in-memory  attacks.  Trustwave  reasoned  that  as  fewer  organizations 

stored  payment  card  data,  and  such  data  was  encrypted  from  the  time  of  the 

swipe  to  the  verification  at  a  card  processing  company,  the  hackers  realized  the 
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only  real  opportunity  to  obtain  unencrypted  card  data  was  during  the  brief  period 
of  time  when  the  card  data  was  in  plain  text  in  the  point-of-sale  terminal’s  random 
access  memory  (Trustwave,  2008).  Indeed,  “memory  scraping,”  which  refers  to 
the  act  of  capturing  card  data  as  it  briefly  enters  an  unencrypted  state  in  a  point- 
of-sale  terminal’s  random  access  memory,  is  the  attack  of  choice  for  hackers 
who  target  data  in  transit.  Trustwave  identified  memory  scraping  as  the  dominant 
method  of  capturing  card  data  in  its  most  recent  analysis  of  payment-card  system 
compromises,  the  2013  Global  Security  Report  (Percoco  et  al.,  2013). 

B.  RECENT  HIGH-PROFILE  POINT-OF-SALE  SYSTEM  COMPROMISES 

On  December  19,  2013,  the  Target  department  store  chain  announced  in 
a  press  release  that  hackers  compromised  approximately  40  million  credit  and 
debit  card  numbers  in  a  three-week  period  (Target,  2013,  December  19).  Target 
released  another  statement  the  next  day  assuring  its  customers  that  only  credit 
and  debit  card  track  data  (name,  card  number,  expiration  date,  and  CW)  had 
been  stolen.  Target  emphasized  that  PIN  codes  for  debit-card  transactions  had 
not  been  compromised  (Target,  2013,  December  20).  Target  added  that 
customers  who  shopped  at  their  online  site  (i.e.,  target.com)  were  not  affected, 
suggesting  that  the  intruders  compromised  the  point-of-sale  system,  the 
mechanism  that  processes  cards  for  in-store  purchases.  On  January  12,  2014, 
Target  CEO  Gregg  Steinhafel  confirmed  that  the  data  breach  included  malware 
infections  of  point-of-sale  terminals  (Quick,  2014).  In  February  2014, 
investigators  focused  on  Fazio,  a  company  Target  contracted  for  HVAC  work.  In 
a  publicly  released  statement,  Fazio  claimed  that  they  were  also  victims  of  the 
Target  data  breach,  and  that  Fazio  followed  industry  best  practices  for 
information  security  (Fazio,  n.d.;  Krebs,  2014,  February  12). 

Less  than  a  month  after  Target  disclosed  its  large-scale  data  breach, 
representatives  from  the  Neiman  Marcus  retail  chain  announced  that  the  high- 
end  retailer  had  also  suffered  a  network  intrusion,  compromising  1.1  million  credit 

and  debit  card  numbers  (D’Innocenzio,  2014).  In  a  statement,  Neiman  Marcus 
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revealed  that  their  point-of-sale  system  was  compromised  over  a  period  of  more 
than  three  months  (Katz,  2014).  According  to  a  Reuters  report,  malware  known 
as  a  “memory  scraper”  was  used  in  both  the  Target  and  Neiman  Marcus  attacks 
(Finkle  &  Hosenball,  2014). 

The  exact  potential  fraud  losses  for  these  two  data  breaches,  affecting 
over  forty-one  million  credit  and  debit  cards,  would  be  difficult  to  determine,  as 
each  cardholder  has  a  distinct  credit  limit  or  debit  balance.  If  we  use  the  United 
States  Sentencing  Commission  standard  of  $500  loss  per  card  (United  States 
Sentencing  Commission,  2013),  then  the  Target  and  Neiman  Marcus  breaches 
alone  could  yield  over  twenty  billion  dollars  in  fraud. 

C.  RECENT  PUBLIC  DISCOURSE  OVER  POINT-OF-SALE  DATA 

COMPROMISES 

Even  after  fifteen  years  of  publicity  surrounding  point-of-sale  system 
compromises,  including  high-profile  criminal  arrests  and  major  intrusions  against 
TJX  and  Heartland  Payment  Systems,  the  recent  Target  and  Neiman  Marcus 
data  breaches  generated  significant  public  attention.  In  February  2014,  Congress 
held  hearings  on  the  Target  and  Neiman  Marcus  intrusions.  The  focus  of  the 
hearings,  based  on  testimony  of  retail  executives  and  comments  and  questions 
by  members  of  Congress,  centered  on  the  discussion  of  whether  and  when  the 
United  States  retail  and  financial  sectors  should  move  from  magnetic-stripe  cards 
to  PIN-and-chip  based  cards.  While  a  move  to  PIN-and-chip  cards  will  make  the 
counterfeiting  of  credit  and  debit  cards  more  difficult,  it  will  not  prevent  point-of- 
sale  system  intrusions  themselves  since  it  does  not  affect  memory 
scraping(Associated  Press,  2014). 

A  secondary  discourse  centers  on  whether  the  United  States  Congress 
should  pass  a  national  data-breach  notification  law.  Such  a  law  would  require 
retailers  and  financial  institutions  to  notify  cardholders  when  a  data  breach  has 
occurred.  A  federal  data  breach  law  would  supersede  the  current  patchwork  of 
over  forty  state-level  data  breach  laws.  Congress  has  attempted  to  pass  a  federal 
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data-breach  notification  law  several  times  over  the  past  decade  without  success, 
but  the  recent  focus  on  Target  and  Neiman  Marcus  may  provide  fresh  support  for 
such  a  law  (Selyukh,  2014). 

What  is  absent  in  the  flurry  of  press  releases,  Congressional  hearings, 
and  news  interviews  is  a  discussion  of  why  United  States  retailers  and  financial 
institutions  continue  to  suffer  point-of-sale  system  compromises,  despite  a  long 
and  well  publicized  history  of  major  breaches. 

D.  SUBWAY -A  CASE  STUDY 

On  May  04,  2011,  a  federal  Grand  Jury  in  New  Hampshire  indicted  six 
individuals,  including  four  Romanian  nationals,  for  hacking  into  numerous  point- 
of-sale  systems.  According  to  the  grand  jury,  the  group  of  hackers  broke  into 
point-of-sale  systems  of  over  150  Subway  sandwich  franchises  and  fifty  other 
retailers  (U.S.  v.  Oprea  et  al.).  The  hacking  group  ultimately  compromised  over 
100,000  cards,  leading  to  more  than  $17.5  million  in  unauthorized  charges  and 
remediation  expenses  (DOJ,  2013). 

The  grand  jury  alleged  that  the  group  of  six  hackers  broke  into  Subway 
and  other  retail  point-of-sale  systems  over  a  period  of  approximately  three  years, 
from  April  2008  until  March  2011.  The  grand  jury  identified  the  following  typical 
sequence  of  events: 

1.  The  suspects  scanned  target  systems  looking  for  vulnerable  remote 
desktop  software  (i.e.,  port  scanning  for  standard  ports  used  by  common  remote 
desktop  software  and  services). 

2.  The  suspects  breached  the  point-of-sale  systems  by  using  easy-to- 
guess  passwords  or  password-cracking  tools  against  the  remote  desktop 
software. 

3.  Once  the  hackers  had  access  to  the  point-of-sale  system,  they  installed 
a  back-door  (specified  in  the  indictment  as  xp.exe).  This  tool  allowed  the 

suspects  to  regain  entry  and  introduce  additional  software  tools. 
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4.  The  hackers  installed  a  keylogger  (not  specifically  identified  in  the 
indictment)  that  captured  card  track  data. 

5.  The  hackers  exfiltrated  the  stolen  card  track  data  to  a  series  of  “dump 
sites”  (FTP  servers)  maintained  by  the  hackers. 

6.  From  overseas  locations,  the  hackers  would  transfer  the  stolen  card 
data  from  the  dump  sites  to  a  central  file  server  controlled  by  the  hackers. 

7.  The  hackers  would  “monetize”  (i.e.,  profit)  from  the  theft  of  stolen  card 
data  by  either  selling  the  card  data  in  the  criminal  underground,  or  by  making 
unauthorized  charges  against  the  compromised  accounts.  In  some  instances, 
“the  members  created  phony  plastic  credit  cards  by  using  hardware  and  software 
devices  (including  magnetic  stripe  readers/writers)  to  encode  blank  plastic  cards 
with  the  stolen  credit  card  data.  They  then  used  these  encoded  plastic  cards  to 
make  unauthorized  charges  with  various  merchants,  primarily  located  throughout 
Europe  (U.S.  v.  Oprea  et  al.).” 

Since  the  indictment,  three  of  the  six  defendants  have  pled  guilty  and  have 
been  sentenced.  Two  unnamed  suspects  have  yet  to  be  identified,  and  one  of 
the  named  suspects  remains  at  large  in  Romania. 

The  Subway  case  is  not  the  largest  in  history,  nor  is  it  notable  for  any  form 
of  sophisticated  malware  or  hacking  techniques.  In  many  ways,  though,  the 
Subway  case  is  a  classic  model  of  criminal  intrusions  into  point-of-sale  systems. 
The  attackers  often  begin  by  running  a  port  scan  against  IP  addresses  that 
belong  to  restaurants  and  other  retailers,  looking  for  port  numbers  that 
correspond  to  remote  desktop  software  or  services  such  as  PC  Anywhere, 
Microsoft  Remote  Desktop,  LogMeIn,  or  GoToMyPC.  Remote  access  software 
(sometimes  known  as  a  remote  desktop  environment)  is  common  on  point-of- 
sale  systems  to  allow  point-of-sale  technicians  (usually  from  the  company  that 
installed  the  point-of-sale  system)  to  remotely  log  in  and  troubleshoot  issues  with 
a  business’s  point-of-sale  system.  Unfortunately  these  common  remote-access 
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products  use  common  port  numbers,  and  the  point-of-sale  merchants  often 
establish  common  (de-facto  default)  user-name  and  password  combinations 
(Trustwave,  2014).  When  the  intruders  find  remote  desktop  ports  open,  they  try 
easy  to  guess  passwords,  default  passwords,  or  employ  brute-force  password 
cracking  methods.  Once  inside  the  restaurant’s  network,  the  attackers  then 
employ  a  keystroke  logger  or  memory  scraper  to  capture  card  track  data.  The 
stolen  data  is  then  uploaded  to  an  external  file  server,  usually  called  a  “dumps 
site,”  where  the  criminals  later  aggregate  and  sort  the  card  data  by  card  type 
(Visa,  MasterCard,  American  Express)  and  location  of  the  issuing  bank. 

It  is  worth  noting  that  all  of  the  named  suspects,  including  the  three  that 
have  pled  guilty,  are  from  overseas.  Moreover,  a  portion  of  the  fraud  occurred  in 
Europe.  The  Subway  case  is  but  a  mere  example  of  how  cyber  crime  has 
rendered  international  borders  less  important,  at  least  for  the  criminals  that  gain 
illegal  access  to  retail  establishments,  compromise  thousands  or  even  millions  of 
cards,  then  use  these  accounts  to  make  fraudulent  purchases  or  sell  them  on 
“dumps  sites,”  where  anyone  with  Internet  access  can  purchase  credit  or  debit 
card  data  with  which  to  make  counterfeit  cards.  The  transnational  element  of 
cybercrime,  which  is  prevalent  with  point-of-sale  breaches,  presents  a  unique 
attack  against  the  financial  health  of  the  United  States. 

E.  THE  TRANSNATIONAL  ELEMENT  IN  PAYMENT  SYSTEM  BREACHES 

On  August  07,  2009,  French  police,  using  information  provided  by  the 
United  States  Secret  Service,  arrested  Vladimir  Horohorin  as  he  boarded  a  plane 
in  Nice  on  his  way  back  to  Russia  (DOJ,  2010).  According  to  a  Grand  Jury 
indictment,  Horohorin,  also  known  as  “BadB,”  operated  a  fully  automated  “dumps 
site,”  dumps. name.  A  “dumps  site”  is  a  Website  devoted  to  the  buying  and  selling 
of  stolen  card  data  (U.S.  v.  Horohorin).  The  United  States  Department  of  Justice 
declared  that  Horohorin  ran  one  of  the  largest  “dumps  sites”  in  the  world  until  his 
arrest  (DOJ,  2012). 
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On  his  Website,  Horohorin  posted  two  animated  videos  glorifying  the 
“carder”  lifestyle.  In  his  first  video,  a  Russian  and  an  Italian  carder  are  shown 
enjoying  the  fruits  of  their  criminal  activities  while  various  United  States  citizens 
discover  that  their  account  balances  are  empty  (Zetter,  2010).  In  the  second 
video,  the  Russian  hacker  is  shown  accepting  a  medal  from  Russian  President 
Vladimir  Putin.  At  the  end  of  the  second  video,  a  statement  in  broken  English 
reads,  in  part,  “we  awaiting  for  new  dumps  and  new  incomes,  we  awaiting  you  to 
fight  the  imperialism  of  USA.  That  way  we  invest  U.S.  funds  in  Russian  economy 
and  make  it  grow  bigger!  (BadB  cartoon,  n.d.)” 

It  is  impossible  to  measure  the  degree  to  which  anti-American  sentiment 
motivates  Russian  or  other  international  hackers.  There  is  no  question,  however, 
that  proceeds  from  card  breaches  are  changing  the  dynamics  of  the  worldwide 
underground  economy.  In  the  past  three  years  news  organizations  have 
published  no  fewer  than  three  detailed  reports  about  the  Romanian  town  of 
Ramnicu  Valcea,  also  known  as  “Hackerville.”  According  to  these  articles, 
proceeds  from  online  fraud  and  hacking  have  brought  sudden  and  suspicious 
wealth  to  a  previously  poor  city  of  100,000  citizens  (Bhattacharjee,  2011;  Bran, 
2013;  Odobescu,  2014). 

It  is  impossible  to  determine  the  exact  involvement  and  extent  of  foreign 
criminals  in  the  world  of  payment  system  intrusions  and  fraud.  Not  all  data 
breaches  are  reported  to  law  enforcement,  and  even  in  the  cases  that  law 
enforcement  investigates,  only  a  small  portion  of  the  suspects  are  identified,  let 
alone  prosecuted.  Furthermore,  payment  system  breaches  generally  involve 
three  types  of  criminal  activity: 

1 .  The  illegal  network  or  system  intrusion  into  the  point  of  sale  system  or 
payment  system,  which  leads  to  theft  of  credit  and  debit  card  numbers,  expiration 
dates,  and  in  some  cases  PIN  codes  and  personal  information. 

2.  The  trafficking  of  numbers  of  credit  and  debit  cards.  Most  of  the  buying 

and  selling  of  bulk  quantities  of  credit  and  debit  card  data  is  done  through 
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Websites  variously  called  “dumps  sites,”  “carding  portals,”  or  “carding  forums.” 
Some  of  the  more  infamous  of  these  were  and  are  Shadow  Crew,  Carderplanet, 
Carder.su,  and  Mazafaka.ru.  In  general  the  criminals  that  steal  credit  and  debit 
card  numbers  sell  stolen  card  data  to  these  “carding”  or  “dumps”  sites.  While  the 
criminals  will  often  keep  a  portion  of  stolen  card  data  for  their  own  personal  use, 
they  sell  the  vast  majority  to  “carding”  sites. 

3.  The  street  use  of  stolen  credit  and  debit  card  numbers.  While  the  first 
two  kinds  of  criminals  can  and  often  do  use  compromised  card  data  for  their  own 
fraudulent  purchases,  a  large  portion  of  the  criminal  proceeds  occurs  by  selling 
data  to  street-level  criminals.  For  credit-card  information,  the  end-user  criminals 
will  make  fraudulent  purchases  online  or  re-encode  the  compromised  information 
onto  counterfeit  credit  cards  to  use  in  person  at  stores,  hotels,  etc.  For  debit-card 
information,  criminals  will  make  fraudulent  purchases  online,  re-encode  the  data 
onto  counterfeit  cards  to  make  in  person  fraudulent  purchases,  or  use  the 
counterfeit  cards  to  make  cash  withdrawals  at  Automated  Teller  Machines 
(ATM),  an  activity  known  as  a  “cash  out.”  In  some  instances,  a  criminal 
organization  will  produce  hundreds  or  thousands  of  counterfeit  ATM  cards,  using 
stolen  card  data  and  PIN  codes.  The  criminal  organization  will  recruit  “mules,”  or 
accomplices  who  are  willing  to  use  the  fraudulent  cards  at  ATM  machines  around 
the  world.  Generally  the  “mules”  keep  a  portion  of  the  cash  withdrawn,  and  send 
the  remainder  to  the  criminal  organizers. 

The  layered  nature  of  payment  system  intrusions  and  subsequent  card 
fraud  means  that  even  a  relatively  simple  theft  of  credit  and  debit-card  numbers 
from  a  small  restaurant  in  Idaho  may  have  connections  to  large  scale 
transnational  organized  crime.  Figure  2  illustrates  a  common  layout  for  a 
“carding”  criminal  enterprise. 
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Hierarchy 


The  Albert  Gonzalez  hacking  organization  provides  a  good  illustration  of 
the  trans-national  aspect  of  the  criminal  “carding”  underground.  Gonzalez  was  a 
hacker  involved  with  the  Shadow  Crew  organization,  and  later  developed  his  own 
criminal  enterprise.  Unlike  most  carding  operations,  in  which  the  “dumps”  site 
administrator  serves  as  a  pure  separator  between  stolen  card  sellers  (i.e.,  the 
PCS  or  other  hackers)  and  buyers  (i.e.,  the  street  users  or  “mules”),  Gonzalez 
established  and  directed  all  layers  of  activities.  The  Gonzalez  carding 
organization  included  individuals  from  several  countries,  thus  illustrating  the 
international  aspect  of  the  stolen  card  underground.  Figure  3  shows  the  basic 
organizational  chart  of  the  Gonzalez  hacking  organization. 
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Figure  3.  The  Albert  Gonzalez  Carding  Organization 

F.  THE  HOMELAND  SECURITY  CONNECTION 

The  examples  in  the  previous  section  illustrate  that  theft  of  card  data  from 
point-of-sale  systems  is  truly  an  international  problem.  State  and  local  law 
enforcement  agencies  are  generally  limited  in  their  reach  against  these 
international  crime  rings,  mainly  due  to  jurisdictional  restrictions,  but  also  due  to 
funding  and  other  resource  problems.  State  and  local  police  departments  can 
and  do  play  a  critical  role  in  arresting  the  end  users  or  “mules”  of  counterfeit 
credit,  debit,  and  ATM  cards.  In  fact,  the  dismantling  of  the  Shadow  Crew  carding 
organization  began  largely  when  a  New  York  City  Police  detective  arrested  Albert 
Gonzalez  in  the  act  of  “cashing  out,”  or  using  counterfeit  ATM  cards  encoded 
with  stolen  data  (Verini,  2010). 
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Furthermore,  the  significant  number  of  compromised  card  accounts, 
coupled  with  billions  of  dollars  in  fraud  losses  and  other  expenses,  poses  a 
serious  threat  to  the  health  of  the  United  States  economy,  and  is  therefore  a 
homeland  security  problem.  Table  1  shows  a  list  of  some  of  the  major  card 
breaches  in  recent  U.S.  history  Krebs,  2013;  FBI,  2009;  US  v.  Gonzalez,  2010; 
Cratty,  2012;  Pepitone,  2014).  These  breaches  alone  yielded  hackers  almost  270 
million  credit  and  debit  card  numbers,  with  an  estimated  fraud  loss  of  almost 
$135  billion. 


Table  1 .  Payment  Card  and  Fraud  Losses  for  Major  Breaches 


Victim 

Number  of  Payment 
Cards  Compromised 

Estimated  Fraud  Loss 

Target  Stores 

40  million 

$20  billion* 

RBS  World  Pay 

N/A 

$9  million 

Hannaford  Grocery 

4.2  million 

$2  million 

DSW  (online  shoe  store) 

1  million 

$500  million* 

Dave  &  Buster’s 

240,000 

$3  million 

TJ  Maxx/Marshall’s 

94  million 

$47  billion* 

Fleartland  Payment 

Systems 

130  million 

$65  billion* 

*  Exact  fraud  loss  amounts  not  available;  figures  derived  from  the  number  of 
payment  cards  compromised  with  an  average  fraud  loss  of  $500,  per  the  United 
States  Sentencing  Commission 


Criminals  obtain  the  majority  of  their  stolen  card  numbers  by  hacking  into 
point-of-sale  systems.  In  fact,  of  the  three  largest  card  data  breaches  in  U.S. 
history,  two  were  the  result  of  point-of-sale  compromises  (US  v.  Gonzalez,  2008; 
US  V.  Gonzalez,  2009;  Krebs,  2014,  February  12): 
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Table  2.  Three  Largest  Payment-card  Breaches  and  Primary 
Method  of  Compromise 


Victim 

Primary  Method  of  Compromise 

TJ  Maxx/Marshall’s 

Point-of-sale  system  compromised  via 
cracked  WEP  keys  on  802.11  wireless 
system 

Heartland  Payment  System 

SQL  Injection  against  Website 

Target  Stores 

Point-of-sale  system  compromised 
after  hackers  broke  into  a  trusted  third 
party  system  and  made  their  way  to 
Target’s  point-of-sale  system 

While  criminals  do  obtain  stolen  card  data  through  various  hacking 
methods,  including  SQL  injection,  the  majority  of  compromised  accounts  and  the 
majority  of  individual  intrusions  involve  attacks  against  retail  point-of-sale 
systems.  As  point-of-sale  systems  yield  the  greatest  fraud  losses  and  therefore 
impact  on  the  U.S.  economy,  any  efforts  toward  mitigating  the  homeland  security 
problem  of  trans-national  carding  organizations  must  begin  with  reducing  the 
frequency  and  impact  of  intrusions  against  point-of-sale  systems. 
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IV.  A  SURVEY  OF  CRIMINAL  INVESTIGATIONS  OF  POINT-OF- 

SALE  SYSTEM  INTRUSIONS 


A.  NATURE  AND  PURPOSE  OF  RESEARCH 

To  gain  insight  into  the  mechanics  of  criminal  point-of-sale  intrusions,  we 
conducted  forty-two  criminal  investigations  of  point-of-sale  breaches  by  the 
United  States  Secret  Service.  We  reviewed  all  point-of-sale  cases  opened  from 
January  2013  through  January  2014.  In  general,  Secret  Service  agents  begin  a 
point-of-sale  investigation  following  one  of  two  conditions: 

•  A  bank  or  other  financial  institution  notifies  a  Secret  Service  field 
office  that  a  retail  establishment  appears  to  be  a  “common  point  of 
compromise.”  When  fraudulent  purchases  appear  on  a  legitimate 
cardholder’s  account,  financial  institute  fraud  investigators  look  for 
common  locations  where  the  legitimate  cardholder  used  the 
payment  card.  For  example,  if  Mom’s  Bank  received  complaints  of 
fraudulent  purchases  from  twelve  different  customers,  and  all 
twelve  made  a  purchase  at  Dad’s  Cafe,  then  Dad’s  Cafe  is  the 
common  point  of  compromise,  and  the  nearest  Secret  Service 
office  to  Dad’s  cafe  will  dispatch  an  agent  to  investigate.  Based  on 
results  of  our  research,  this  is  the  most  common  method. 

•  Secret  Service  agents  investigating  criminal  carding  organizations 
will  learn  about  a  specific  point-of-sale  breach  through  confidential 
informants  or  undercover  methods. 

For  our  research,  we  read  investigative  and  forensic  reports  related  to  point-of- 
sale  investigations.  For  each  case,  we  sent  a  survey  to  the  lead  investigative 
agent  to  gather  specific  information  about  the  nature  of  the  intrusion. 

We  attempted  to  gather  the  following  information: 

•  What  was  the  specific  manner  of  intrusion  into  the  point-of-sale 
system? 

•  What  was  the  duration  of  the  compromise? 

•  How  many  cards  were  compromised,  or  what  was  the  fraud  loss  as 
a  result  of  the  intrusion? 

•  Did  the  attackers  use  malicious  code,  and  if  so,  what  type  of  code 
did  they  use? 
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How  did  the  victims  (i.e.,  the  businesses  who  used  the  point-of-sale 
system)  learn  of  the  intrusion? 

We  collected  the  data  with  the  following  larger  questions  in  mind: 

•  Are  there  recurring  types  of  malicious  code  used  with  point-of-sale 
system  intrusions? 

•  How  prevalent  are  zero-day  malicious  code  infections? 

•  What  is  the  average  duration  of  a  point-of-sale  compromise? 

•  What  is  the  average  fraud  loss  or  number  of  cards  compromised? 

•  What  are  the  primary  attack  or  infiltration  methods? 

•  How  do  the  hackers  exfiltrate  stolen  card  data  from  compromised 
point-of-sale  systems? 

B.  SURVEY  METHODS 

We  identified  forty-two  new  cases  concerning  point-of-sale  system 
intrusions  for  the  period  of  January  2013  through  January  2014  by  reviewing  all 
network-intrusion  investigations  by  the  Secret  Service  specifically  focused  on 
point-of-sale  systems.  We  sent  a  survey  to  the  case  agent  in  charge  of  each  of 
the  forty-two  point-of-sale  system  investigations.  Of  the  forty-two  surveys  we 
submitted,  we  received  responses  from  forty-one.  The  survey  included  seven 
questions  related  to  the  nature  of  the  point-of-sale  system  compromise,  including 
length  of  intrusion,  method  of  intrusion,  method  of  card  exfiltration,  and  the 
method  by  which  the  intrusion  was  discovered. 

C.  RESULTS 

The  table  in  the  appendix  summarizes  each  case.  In  some  instances, 
specific  data  was  not  provided  such  as  duration  of  the  intrusion  or  specific 
malicious  code  used  due  to  one  of  the  following: 

•  The  business  owner  or  point-of-sale  system  vendor  may  have 
performed  a  system  clean-up  or  completely  rebuilt  the  system 
before  law  enforcement  or  third-party  forensic  vendors  had  an 
opportunity  to  perform  forensic  analysis. 
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•  During  the  investigation  the  case  agent  (i.e.,  the  Secret  Service 
agent  leading  the  criminal  investigation)  presented  a  summary  of 
the  case,  including  fraud  loss,  identities  of  suspects,  etc.,  to  a 
federal  prosecutor.  If  the  federal  prosecutor  declined  to  prosecute, 
the  Secret  Service  ceased  any  further  investigation  or  forensic 
analysis. 

•  In  a  small  number  of  cases  the  business  owner  may  have  hired  a 
private  forensic  firm  to  conduct  a  private  investigation  and 
implement  security  improvements.  The  third-party  analyses  do  not 
always  address  the  specific  research  questions  we  pursued. 

•  Some  investigations  were  in  the  early  phases  and  complete  data 
was  not  yet  available 

The  table  in  the  appendix  provides  a  summary  of  each  criminal 
investigation  undertaken  by  the  United  States  Secret  Service  of  point-of-sale 
system  intrusions  from  January  2013  through  January  2014.  The  table  reveals 
some  interesting  statistical  trends: 

•  The  most  common  entry  point  into  point-of-sale  systems  was 
through  poorly  secured  remote-desktop  environments.  Other 
security  risks  were  having  no  firewall,  having  missing  or  out-of-date 
anti-virus  protection,  and  using  point-of-sale  system  terminals  for 
personal  Internet  activities. 

•  The  most  common  form  of  malicious  code  was  Perfect  Keylogger 
for  hard-disk-based  keystroke  loggers,  and  the  “sr.exe”  and 
“searcher.dll”  pair  for  random-access  memory-based  “scrapers.”  A 
“memory  scraper”  or  “RAM  scraper”  is  malicious  code  that  monitors 
specific  point-of-sale  processes  in  random-access  memory  to  catch 
payment-card  data  when  it  is  temporarily  unencrypted  as  it  transits 
certain  processes  in  memory  (Kotov,  2014). 

•  In  most  cases,  banks  or  other  financial  institutions  identified  the 
victim  business  by  recognizing  the  “common  point  of  compromise.” 

•  In  some  instances  victims  were  identified  through  other  Secret 
Service  investigations.  For  example,  a  Secret  Service  agent  may 
arrest  a  suspect  in  a  point-of-sale  intrusion  case  who  admits  to 
hacking  into  other,  unreported  point-of-sale  systems. 

•  In  no  cases  did  the  victims  first  learn  about  the  intrusions  on  their 
own. 
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•  For  cases  where  the  duration  of  the  intrusion  is  known,  its  average 
length  was  6.3  months. 

•  The  total  number  of  stolen  cards  identified  to  date  is  2,498,956  for 
forty-two  criminal  cases.  If  we  use  the  U.S.  Sentencing  Commission 
standard  fraud  loss  per  card  of  $500.00,  then  the  potential  fraud 
loss  for  these  forty-two  investigations  alone  is  $1.2  billion.  The 
number  of  compromised  cards  will  likely  grow  as  financial 
institutions  complete  their  assessments. 

This  survey  revealed  that  point-of-sale  system  intrusions  were  not 
sophisticated,  because  they  did  not  need  to  be.  In  most  cases,  hackers  breach 
the  point-of-sale  system  by  scanning  for  standard  port  numbers  associated  with 
remote  desktop  environment  products  or  services.  Then  the  hacker  generally 
tries  default  passwords  or  easy-to-guess  passwords. 
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V.  FORENSIC  INDICATORS  OF  POINT  OF  SALE  SYSTEM 

ATTACKS 


A.  POINT-OF-SALE  SYSTEM  ATTACK  CHARACTERISTICS 

Point-of-sale  system  intrusion  methods  reflect  the  gamut  of  the  larger 
world  of  network  intrusions  and  include  a  mix  of  physical  attacks,  Web-based 
attacks,  and  network  attacks.  A  brief  survey  of  some  of  the  largest  point-of-sale 
system  intrusions  illustrates  this  spectrum  (Berg,  Freeman,  &  Schneider,  2008; 
Krebs,  2011;  Krebs,  2014,  February  06;  US  v.  Gonzalez,  2009): 


Table  3:  Intrusion  Methods  for  Major  Point-of-sale  Intrusions 


Victim 

Initial  method  of  intrusion 

TJ  Maxx  chain 

Cracked  WEP  Wi-Fi  password 

Michael’s  Craft  Stores 

Physical  tampering  of  POS  terminals 

Target  Department  Store  chain 

Compromised  3'^'^  party  credentials 

Hannaford  Supermarket  chain 

SQL  Injection 

While  criminals  apply  a  variety  of  methods  against  larger  retail 
corporations,  they  more  often  attack  smaller  retail  establishments  by  focusing  on 
remote-desktop  (remote-access)  connections.  The  statistical  data  collected  in 
Chapter  IV  show  that  out  of  thirty  cases  with  a  known  or  suspected  method  of 
compromise,  sixteen  involved  remote  desktop  software.  In  a  white  paper  for  the 
2010  Black  Hat  USA  conference,  researchers  from  the  security  and  forensics 
company  Trustwave  called  exploitation  of  point-of-sale  remote  access  “the  easy 
way”  (Percoco  and  Ilyas,  2010).  Trustwave’s  2013  Global  Security  Report 
identified  remote  desktop  exploitation  as  the  cause  of  47%  of  all  network 
intrusions  that  company  investigated  (Trustwave,  2013). 

Many  small  and  medium-size  retail  establishments  use  simple  remote- 

access  software  (e.g.,  PC  Anywhere,  GoToMyPC,  LogMeIn,  or  Microsoft  Remote 

Desktop)  to  allow  point-of-sale  technicians  and  restaurant  managers  to  remotely 
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access  the  system  at  any  time.  If  a  bar  or  restaurant  experiences  point-of-sale 
system  troubles  during  a  busy  Saturday  night,  the  establishment  wants  the 
system  fixed  immediately,  and  the  point-of-sale  technician  wants  to  avoid  a 
possibly  long  drive  to  the  restaurant.  Thus,  there  is  sound  business  logic  for 
remote  access.  Criminals  have  learned,  however,  that  many  businesses  use 
remote-access  products  with  weak  passwords.  Therefore,  criminals  merely  need 
to  run  a  port-scan  tool  such  as  Nmap  against  potential  point-of-sale  IP 
addresses,  looking  for  standard  port  numbers  for  remote  access  products.  For 
example,  Microsoft’s  Remote  Desktop  Protocol  runs  on  TCP  port  3389,  and  PC 
Anywhere  operates  on  TCP  port  5631  or  5632.  Once  an  attacker  has  collected  a 
list  of  potential  targets,  the  attacker  can  try  a  list  of  common  login  names  and 
passwords.  In  some  cases,  point-of-sale  system  components  were  left 
configured  with  standard  login  name  and  password  combinations  (e.g.,  user 
name  “aloha,”  password  “aloha”),  which  exacerbated  the  problem  (Trustwave, 
2014). 

Once  criminals  have  entered  the  point-of-sale  network,  they  usually  install 
malicious  code  designed  to  capture  payment-card  data.  In  general,  this  malicious 
code  is  either  traditional  keylogger  software  (e.g..  Perfect  Keylogger)  or  random- 
access  memory  (RAM)  scrapers.  Keylogging  software  monitors  input  sources 
such  as  keyboards  and  card  readers.  Keylogging  software  such  as  Perfect 
Keylogger  collects  captured  card  data  into  a  log  file.  The  criminals  may  retrieve 
the  log  file  manually  (using  the  original  intrusion  method,  often  a  poorly-secured 
remote-access  application)  or  establish  a  file  transfer  protocol  (FTP)  or  simple 
mail  transfer  protocol  (SMTP)  service  to  exfiltrate  data  from  the  compromised 
system.  Attackers  can  configure  the  SMTP  or  FTP  service  to  periodically  export  a 
payment-card  log  file  to  an  external  server  or  Web  mail  account. 

Malware  scrapers  are  currently  the  more  common  method  of  capturing 
card  track  data  (Trustwave  &  USSS,  2012).  When  an  employee  swipes  a  card, 
the  track  data  is  briefly  held  in  memory  before  the  point-of-sale  application 
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encrypts  it.  Memory  scrapers  monitor  specific  buffers  in  memory  known  to  be 
associated  with  specific  point-of-sale  processes.  When  the  malicious  code 
identifies  new  payment-card  data,  it  is  copied  to  a  log  file  on  the  hard  drive  of  the 
infected  point-of-sale  machine.  Depending  on  the  specific  memory  scraper  tool 
being  used,  the  scraper  may  perform  additional  actions  on  the  collected  data, 
such  as  parsing  and  encryption.  Criminals  can  then  retrieve  the  collected  card 
data  manually,  repeating  the  initial  intrusion  methods  (Trustwave,  2014). 

B.  A  FORENSIC  CASE  STUDY 

In  a  typical  point-of-sale  system  implementation,  employees  swipe  cards 
at  one  or  more  point-of-sale  terminals.  The  track  data  is  sent  to  a  buffer  in 
memory,  either  on  the  terminals  themselves  or  at  the  back-of-house  server 
(Trustwave,  2014;  Trustwave,  2010).  The  point-of-sale  system  software  reads 
the  card  data  from  the  memory  buffer  and  encrypts  the  cardholder  data  before  it 
is  sent  to  a  financial  institution  for  approval.  Memory  scrapers  target  cardholder 
data  in  the  brief  instant  that  it  is  unencrypted  in  the  memory  buffer. 

To  provide  insight  into  potential  forensic  evidence  from  a  criminal 
compromise  of  a  point-of-sale  system,  we  examined  a  back-of-house  server  from 
a  victim  restaurant.  The  compromised  machine  ran  Microsoft  Windows  XP 
Service  Pack  2  and  a  standard  copy  of  Aloha  Manager/EDC  point-of-sale 
software,  along  with  a  copy  of  Symantec’s  PCAnywhere  to  support  remote 
access.  The  built-in  Windows  firewall  was  disabled,  as  were  Windows  Automatic 
Updates  for  system  security  patches. 

For  this  server,  we  performed  the  following  forensic  steps: 

1.  We  began  with  a  “clean”  Universal  Serial  Bus  thumb  drive.  The 
drive  was  formatted  with  the  NTFS  file  system  to  eliminate  possible  storage 
problems  (e.g.,  file  size  and  file  name  length)  with  the  FAT  32  file  system. 

2.  On  the  thumb  drive  we  installed  a  “known  good”  copy  of  cmd.exe 
taken  from  a  different  computer  with  a  fresh  installation  of  Microsoft  Windows. 
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3.  We  added  a  copy  of  the  tool  “Dumpit”  from  Moonsols  to  collect  a 
copy  of  the  target  system’s  random  access  memory  (RAM).  As  a  backup  tool,  we 
added  a  copy  of  Access  Data’s  FTK  Imager  Lite. 

4.  On  the  live  (compromised)  system,  we  inserted  the  thumb  drive. 
After  it  mounted,  we  navigated  to  the  drive  letter  of  the  thumb  drive  and  ran  the 
program  cmd.exe. 

5.  At  the  Windows  Command  Line  Interface  (CLI),  we  collected 
volatile  and  system  information  via  the  following  commands: 

•  F:\  ipconfig  /all  »collection.txt 

•  F:\  natstat  -ano  »collection.txt 

•  F:\  whoami  »collection.txt 

•  F:\  systeminfo  »collection.txt 

•  F;\  net  user  »collection.txt 

•  F:\net  accounts  >>collection.txt 

•  F:\openfiles  »collection.txt 

•  F:\taskist  /v  >>collection.txt 

•  F:\wmic  process  list  full  »collection.txt 

•  F:\net  start  >>collection.txt 

•  F:\tasklist  /svc  »collection.b(t 

•  F:\schtasks  >>collection.txt 

•  F:\wmic  startup  list  full  »collection.txt 

•  F:\  wmic  useraccount  where  name=’edc’  get  sid 
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The  last  command  collected  the  system-identification  value  for  the  current 
logged-on  user.  This  information  is  necessary  to  manually  copy  the  user’s 
ntuser.dat  file. 

6.  We  ran  the  tool  Dumpit  from  Moonsols  from  the  command  line, 
which  copied  the  contents  of  the  live  system’s  random-access  memory  into  a 
dump  file  in  the  .raw  format. 

7.  We  manually  copied  the  Windows  Registry  hive  files  with: 

•  F:\  reg  save  HKLM\SAM  f:\regsamdump 

•  F:\  reg  save  FIKLM\SYSTEM  f:\regsystemdump 

•  F:\  reg  save  FIKLM\SECURITY  f:\regsecuritydump 

•  F:\  reg  save  HKLM\SOFTWARE  f:\regsoftwaredump 

•  F:\  reg  save  hku\{user’s  SID  value}  f:\ntuserdump.dat 

8.  We  manually  copied  the  Windows  Event  Logs  using  “copy  *.wev 
f:\.’’ 

9.  We  analyzed  the  gathered  information  with  a  variety  of  forensic 
tools,  including: 

•  Bulk  Data  Extractor :  Used  for  parsing  useful  strings  (e.g., 

email  addresses,  Internet  Protocol  addresses)  out  of  source,  such 
as  our  memory  dump  file 

•  Strings  :  Used  for  pulling  clear  text  strings  out  of  a  source, 

including  formatted  files 

•  Redline  :  Used  for  analyzing  running  processes  and  looking  for 

indications  of  malicious  code  and  rootkit  infections 

•  RegRipper  :  Used  to  parse  data  from  Windows  Registry 

hives,  including  installed  software,  mounted  hardware,  entries  in 
the  Windows  Prefetch  file,  and  more. 
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•  Volatility :  Used  to  extract  specific  information  such  as  data  on 
running  processes  from  memory-dump  files.  Volatility  is  built  on  a 
modular  framework,  which  allows  an  examiner  to  choose  specific 
plug-ins. 

•  YARU :  Used  for  exploring  imported  Windows  Registry  hives 

in  the  native  directory  structure 

•  Event  Log  Explorer :  Used  for  importing  Windows  Event 

Logs.  Although  the  native  Windows  Event  Viewer  works  well  for  this 
task,  the  Event  Log  Explorer  tool  offers  more  export  options  and 
can  concatenate  multiple  Windows  event  logs  into  one  file. 

In  the  case  of  the  compromised  back-of-house  server,  forensic  analysis 
revealed  that  criminals  installed  a  three-part  memory  scraper  tool  on  the  server. 
The  loader  (controller)  file  rpcsrv.exe  appears  on  a  security  alert  of  point-of-sale 
malicious  code  published  by  Visa,  Inc.  in  2009  (Visa,  2009),  though  the  other 
files  were  not  recognized. 

The  loader  functioned  as  the  malicious-code  installer.  It  added  a  service 
for  persistence,  pointing  to  itself,  and  also  loaded  the  other  two  files,  one  for 
parsing  card  strings  in  memory,  and  the  other  for  data  aggregation.  After  running 
the  Strings  tool  against  this  file,  the  output  revealed  the  two  files  this  controller 
file  was  set  to  begin: 

start  /min  algsvc.exe 

start  /min  rdpsvc.exe 

The  second  component  was  the  actual  memory-scraper  tool.  Memory 
scrapers  are  generally  written  to  monitor  specific  point-of-sale  executable  files 
that  process  card  track  data.  In  the  case  of  the  infected  back-of-house  server, 
this  machine  ran  Aloha’s  EDC  (Electronic  Draft  Capture)  software  for  processing 
swiped  card  data.  The  memory  scraping  tool,  algsvc.exe,  monitors  the  legitimate 
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Aloha  process  (edcsvr.exe)  in  memory  for  credit  card  strings.  An  analysis  of  the 
memory  scraper  with  the  Strings  tool  shows  specific  references  to  edcsvr.exe. 

The  third  component  was  a  data-aggregation  tool,  rdpsvc.exe.  It 
monitored  data  collected  from  the  memory  scraper  and  parsed  card  data.  This 
data  was  then  obfuscated  and  sent  to  dump  files,  which  the  criminals  would 
retrieve  manually. 

C.  SAMPLE  FORENSIC  INDICATORS  OF  POINT-OF-SALE  SYSTEM 

INTRUSIONS 

Non-volatile  evidence  may  be  collected  via  several  techniques,  including 
full  disk-drive  imaging  with  a  write-blocking  mechanism  and  imaging  software,  or 
through  the  collection  of  specific  files  or  directories.  In  some  instances  an 
establishment  is  unable  or  unwilling  to  take  its  point-of-sale  system  offline  for 
traditional  disk  imaging  in  which  case  non-volatile  information  can  be  collected 
directly  from  the  machine. 

Nonvolatile  evidence  includes  persistent  malicious  code,  Windows 
Registry  keys,  cache  files,  and  log  files.  Malicious  code  in  the  form  of  keyloggers, 
especially  common  applications  like  Perfect  Keylogger,  will  likely  generate 
positive  hits  with  anti-virus  products.  Point-of-sale  specific  malicious  code  may 
not  be  included  in  standard  anti-virus  signature  lists,  but  Web  resources  do 
provide  MD5  checksum  values  and  Windows  Registry  key  values  for  some 
malware  scrapers  (Visa,  2009;  Trustwave,  2010;  iSight,  2014;  Wilson,  Loftus,  & 
Bing,  2013;  Higgins,  2014). 

For  example,  the  security  research  company  iSight  published  a  list  of  non¬ 
volatile  forensic  indicators  for  the  Kaptoxa  point-of-sale  malicious  code  set,  which 
many  believe  was  used  in  the  Target  department  store  intrusion  (iSight,  2014; 
Krebs,  January  2014).  This  list  includes  additions  and  modifications  of  fifteen 
Windows  Registry  keys  (e.g.,  HKLM\SYSTEM\ControlSet001\Enum\Root\ 
LEGACY_POSWDS\0000\Control)  and  eighteen  malicious  code  files  that  may  be 
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present  in  a  Kaptoxa-infected  point-of-sale  system  including  name,  extension, 
size,  and  four  different  hash  values  for  each  malicious  file. 

Volatile  evidence  is  obtained  by  deploying  specific  data  collection 
tools  on  the  live  machine.  Although  the  use  of  these  tools  on  a  live  device  will 
leave  evidence  that  an  examiner  used  such  tools  (for  example,  in  the 
Windows  Registry  key  HKCU\Software\Microsoft\Windows\CurrentVersion\ 
Explorer\RunMRU)  (Carvey,  2011),  most  live-response  collection  tools  and 
methods  leave  a  minimal  footprint. 

Volatile  evidence  may  include  running  processes  (hidden  or  open), 
suspicious  network  ports,  volatile  Windows  Registry  key  values,  temporary  files, 
and  memory-only  malicious-code  activity.  Examiners  may  have  prior  information 
that  enables  them  to  focus  on  certain  suspicious  network  ports  or  running 
processes.  For  the  case  study  of  the  server,  we  know  that  the  controller  file 
loaded  the  memory-scraper  program  (algsvc.exe)  and  the  card  data  parsing  and 
aggregation  program  (rdpsvc.exe),  both  of  which  ran  as  normal  (i.e.,  non-hidden) 
processes. 

Network  evidence  can  be  useful  to  learn  how  stolen  data  exited  the 
impacted  network,  as  well  as  its  destination.  In  some  instances,  for  example 
zero-day  exploits  or  highly  stealthy  techniques,  network  forensics  may  be  the 
best  option  for  discovering  the  outbound  export  of  sensitive  data.  Indeed,  when 
Google  fell  victim  to  an  Advanced  Persistent  Threat  (also  known  as  an  Operation 
Aurora  attack)  intrusion  in  2010,  Google’s  incident-response  team  relied  on 
Domain  Name  Service  logs  to  piece  together  the  nature  of  the  attack  (Westervelt, 
2010). 

Network  forensic  evidence  is  also  useful  in  an  investigation,  and  can  come 
from  log  files  (Domain  Name  Service,  mail,  Web,  Dynamic  Host  Configuration 
Protocol,  etc.)  or  by  capturing  network  packets  in  real  time.  For  the  latter,  the 
investigator  can  use  a  small  network  tap,  a  span  port  on  a  network  switch,  or  a 

packet-capture  tool  such  as  Windump  or  Wireshark,  although  these  generally 
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require  installation  of  new  software  which  may  violate  the  principle  of  making  as 
few  changes  to  the  original  evidence  as  possible.  Capturing  network  packets  in 
real  time  can  be  challenging,  as  the  resulting  capture  files  can  grow  very  quickly. 
Nevertheless,  running  packet  capture  tools  on  traffic  of  a  suspected  infected 
machine  may  be  the  best  option  for  determining  the  methods  and  destinations  of 
outbound  compromised  data.  As  an  example,  the  Arbor  SERT  revealed  the 
following  signatures  from  the  recent  Dexter  point-of-sale  malicious  code  (Wilson, 
Loftus,  &  Bing,  2013): 

•  GET  /hint/chck.php  HTTP/1 .1 

•  Host:  rome0[.]biz 

•  Accept:  text/html,  7* 

•  Accept-Encoding:  identity 

•  User-Agent:  Mozilla/4.0  (compatible;  MSIE  7.0;  Windows  NT  6.0; 

SLCC! 

•  Hxxp://rome0.biz/hint/cx.php 
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VI.  RECOMMENDATIONS  FOR  PREVENTING 
POINT-OF-SALE  INTRUSIONS 


A.  TECHNICAL  SECURITY  RECOMMENDATIONS 

Information  gathered  from  criminal  investigations  of  point-of-sale  system 
intrusions  and  from  trend  reports  from  Trustwave  demonstrate  that  criminals 
often  use  predictable  patterns  of  attack  behavior  along  with  easily  identifiable 
malicious  code.  Poorly  secured  remote  access  is  perhaps  the  most  common 
entry  method  for  criminals,  and  we  recommend  that  retailers  pay  particularly 
close  attention  to  improving  it. 

1.  Secure  remote  access  capabilities 

If  remote  access  between  point-of-sale  vendor  technicians  and  the  point- 
of-sale  system  is  a  necessary  evil,  then  the  point-of-sale  system  operators  must 
operate  it  as  securely  as  possible.  We  offer  the  following  recommendations: 

A.  Avoid  if  possible  remote-access  products  and  services  such  as 
PCAnywhere,  GoToMyPC,  Microsoft  RDP,  LogMeIn,  etc.  Point-of-sale  system 
operators  can  install  an  effective  yet  inexpensive  hardware  firewall  with  virtual 
private  networking  capabilities,  such  as  the  Cisco  ASA  5510,  sold  by  a  variety  of 
vendors  for  under  $400. 

B.  If  commercial  remote  access  products  are  unavoidable,  point-of-sale 
operators  (i.e.,  the  restaurant,  hotel,  or  store)  should  establish  good  passwords 
necessary  to  access  the  system.  Do  not  allow  point-of-sale  system  vendors  to 
establish  user  names  and  passwords.  Users  should  follow  best  practices  for 
length,  expiration,  and  complexity.  Users  can  check  the  strength  of  a  given 
password  from  a  variety  of  password  checking  Web  sites,  including 
www.passwordmeter.com. 

C.  If  commercial  remote-access  products  are  unavoidable,  point-of-sale 
operators  should  consider  enabling  the  remote  access  service  only  when  it  is 
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needed.  If  an  off-site  employee  or  point-of-sale  technician  requires  remote 
access,  require  that  they  call  in  to  request  its  enablement.  Point-of-sale  operators 
should  be  able  to  disable  the  remote-access  product  when  not  in  use  by 
suspension  or  shut-off  functions  within  the  application,  or  by  stopping  the  running 
process  at  the  command  line  or  within  Windows  Task  Manager. 

2.  Use  an  effective  anti-virus  product 

Anti-virus  products  may  not  be  effective  against  some  types  of  malicious 
code  that  only  attacks  point-of-sale  systems  (Trustwave,  2014).  Nevertheless, 
anti-virus  products  are  still  effective  in  identifying  popular  keystroke  logging  tools, 
such  as  Perfect  Keylogger.  Point-of-sale  system  users  should  use  an  anti-virus 
product,  configure  it  to  receive  automatic  updates,  and  run  automatic  scans. 

3.  Use  a  firewall 

In  addition  to  using  a  hardware  firewall  to  protect  the  point-of-sale 
system’s  network,  operators  should  use  a  software  firewall  on  each  terminal  and 
the  back-of-house  server.  These  add  an  additional  layer  of  security  and  another 
opportunity  for  log  file  activity.  Microsoft  Windows  includes  a  built-in  firewall  with 
the  Windows  operating  system. 

4.  Restrict  point-of-sale  nodes  to  specific  business  use 

Point-of-sale  system  operators  should  forbid  employees  from  using  point- 
of-sale  system  terminals  and  back-of-house  servers  for  other  Internet  activities 
such  as  visiting  Web  sites,  checking  e-mail,  etc.  All  nodes  on  the  point-of-sale 
system  should  be  restricted  to  the  business  functions  of  processing  sales  and 
card  information  to  limit  opportunities  for  malicious  access. 

5.  Operate  point-of-sale  system  nodes  with  least  privileges 

Operations  of  point-of-sale  terminals  and  back-of-house  servers  should 
use  minimal  privileges  (i.e.,  non-administrative  accounts).  Operators  should 
disable  any  unnecessary  accounts  (e.g.,  guest)  and  ensure  all  accounts  follow 
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information  security  best  practices  for  password  use  (length,  expiration, 
complexity). 

6.  Harden  the  operating  system  of  point-of-sale  system  nodes 

Point-of-sale  system  operators  should  strengthen  the  security  of  the 
underlying  operating  systems  of  point-of-sale  nodes.  They  should  consider 
security  configuration  guides  from  the  National  Institute  of  Standards  and 
Technology.  Specific  suggestions  include  enabling  automatic  updates  and 
disabling  unnecessary  applications  and  services. 

B.  A  POINT-OF-SALE-SYSTEM  SECURITY  AWARENESS  CAMPAIGN 

Several  organizations  have  published  advisories  and  security 
configuration  checklists  for  point-of-sale  terminals.  For  example,  in  January  2014 
the  United  States  Computer  Emergency  Readiness  Team  (US-CERT)  published 
a  two-page  document,  “Malware  Targeting  Point  of  Sale  Systems”  (US-CERT, 
2014).  This  advisory  provides  a  brief  overview  of  point-of-sale  systems,  the 
nature  of  point-of-sale  system  compromises,  and  a  brief  bulleted  list  of 
recommended  security  steps.  Visa  released  a  slightly  more  technical  report, 
“Retail  Merchants  Targeted  by  Memory-Parsing  Malware-Update”  (Visa,  2014). 
This  document  provides  a  more  specific  two-page  list  of  point-of-sale  system 
security  steps,  but  Visa  also  includes  without  explanation  a  two-page  list  of  point- 
of-sale  system  malicious  code  file  names  and  MD5  hash  values.  Although  this 
information  is  very  helpful  to  investigators,  it  is  doubtful  that  most  small  and 
medium  size  point-of-sale  operators  will  know  what  to  do  with  MD5  hash  values. 

The  Department  of  Homeland  Security  can  help  lead  a  public  awareness 
campaign  for  the  improvement  of  point-of-sale  system  security.  This  program 
clearly  meets  two  key  objectives  of  the  Department,  as  specified  in  the 
Quadrennial  Homeland  Security  Review  Report  (DHS,  2010):  (1)  prevent  cyber 
crime  and  other  malicious  uses  of  cyberspace,  and  (2)  enhance  public 
awareness. 
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As  a  precedent,  the  United  States  Secret  Service,  a  component  of  the 
Department  of  Homeland  Security,  has  for  several  years  managed  a  successful 
international  public  awareness  campaign  concerning  genuine  currency.  This 
awareness  campaign  uses  a  multi-level  approach  to  public  education,  ranging 
from  colorful  flyers  and  posters  for  general  information  to  detailed  Web  sites, 
seminars,  and  brochures  for  banks,  retailers,  and  others  who  handle  large 
amounts  of  currency.  A  point-of-sale  security  public  awareness  campaign  could 
follow  a  similar  layered  approach.  The  first  layer  can  feature  easy-to-follow  flyers, 
posters,  and  brochures  that  illustrate  basic  elements  of  point-of-sale  system 
security.  These  items  should  use  graphics  and  catchy  phrases  that  will  capture 
the  attention  of  average  point-of-sale  system  users.  Middle  layers  can  provide 
more  specific  “checklist”  style  steps  toward  improving  point-of-sale  system 
security,  most  likely  in  document  format.  Advanced  layers  can  provide  more 
technical  security  improvement  procedures,  including  specific  steps  for  different 
vendors  of  point-of-sale  systems. 
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APPENDIX 


Summary  of  United  States  Secret  Service  point-of-sale  system  intrusion 
investigations  (RDE  =  Remote  Desktop  Environment) 


Case 

# 

Possible 

Intrusion 

Method 

Malware  and/or  Hacker  Tools 
Used 

Victim 

Notified 

by: 

Fraud 

Loss  or 

Number 

of 

Payment 

Cards 

Stolen: 

Category 

Approx 

Duratio 
n  of 

Intrusio 

n 

Notes 

1 

Vulnerable 

RDE 

Unspecified  keylogger  and 
remote  Trojan 

N/A 

F 

Unkno 

wn 

2 

Vulnerable 

RDE 

Sr.exe;  searcher.dll;  run.exe 

Bank(s) 

A 

Unkno 

wn 

3 

Unknown 
but  RDE  in 

use 

Unknown 

Bank(s) 

D 

3 

months 

Victim 

did 

partial 
system 
repair 
prior  to 
law 

enforce 

ment 

contact 

4 

RDE  with 
weak 
password; 
no  firewall 

Sr.exe;  searcher.dll;  run.exe 

Bank(s) 

A 

3 

months 

5 

Vulnerable 

RDE 

Sr.exe;  searcher.dll 

Bank(s) 

A 

1 

month 

6 

Unknown 

Sqlmgmt.exe;  Rptsvc32.exe; 
sppt32.exe 

Bank(s) 

Unknown 

2 

months 

7 

RDE  with 

default 

passwords 

Perfect  Keylogger 

Bank(s) 

A 

5+ 

months 

8 

Weak  login 
password 

Suidshell  malware 

Bank(s) 

B 

5 

months 

Rare 

*nix 

PCS 

system 

9 

PCS 

terminals 

used  for 

personal 

Internet 

activities 

Perfect  Keylogger; 
wuauclt.exe 

Data  from 

another 

criminal 

case 

A 

8 

months 
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10 

Unknown 

Spyeare.HidetoolsSpy 

Data  from 

another 

criminal 

case 

A 

2 

months 

11 

Unknown 

Unspecified  RAM  dumper 

Bank(s) 

A 

14 

months 

12 

Unknown 

Unspecified  Trojan  (hidden 
as  “scvhost.exe”;  note  the 
unusual  spelling) 

Data  from 

another 

criminal 

case 

A 

6 

months 

13 

Unknown 

Spoolsw.exe 

Bank(s) 

Unknown 

Unkno 

wn 

14 

Anti-virus  2 
years  out 
of  date; 

POS 
terminals 
used  for 

personal 
Internet 

use 

Two  possible:  “msseces.exe” 
and  “ctfmon.exe” 

Bank(s) 

A 

5 

months 

15 

No  firewall; 
no  anti¬ 

virus 

Trojan.vundo 

Bank(s) 

D 

Unkno 

wn 

16 

Vulnerable 

RDE 

Perfect  Keylogger 

Unknown 

A 

5 

weeks 

17 

Vulnerable 

RDE 

Unspecified  RAM  dumper 

Unknown 

Unknown 

Unkno 

wn 

18 

Weak 

passwords 

“Wnhelp.exe”;  “Mmon.exe” 

(the  latter  specifically 
captures  credit  card  track 
data);  SAMInside  password 
cracker  found  on  system 

Bank(s) 

E 

5 

weeks 

19 

Blank 

admin 

password 

“Sr.exe”  and  “Searcher.dll” 

Bank(s) 

Unknown 

27 

months 

20 

Survey  not  returned 

21 

Weak 

passwords 

“Sr.exe”  and  “Searcher.dll” 

Unknown 

Unknown 

Unkno 

wn 

22 

Possible 
infection 
due  to  use 
of  POS 

system  for 
personal 
Internet 

use 

“Downloadermstdc.exe”; 
possibly  61  pieces  of 
malicious  code  across 
multiple  franchise  locations 

Bank(s) 

C 

3 

months 
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23 

POS 

vendor’s 

RDE 

account 

was 

com  prom  is 
ed 

“Trojan. agent.s.z”;  “Aluroot- 
b” 

Bank(s) 

E 

Unkno 

wn 

24 

Evidence 
that  victim 

was 

phished 

Unspecified  malicious  code 

Bank(s) 

D 

Unkno 

wn 

25 

Victim’s 

card 

processing 

company 

was 

penetrated 

Evidence  of  malicious 
command  shell  access  found 
during  forensic  work,  but  no 
specific  malware  or  hacking 
tools  found  to  date 

Bank(s) 

F 

1 

month 

26 

3  different 
RDE 
products 
found  on 
POS 
system; 
owner  only 
knew  of 

one 

Unknown 

Bank(s) 

D 

Unkno 

wn 

27 

Vulnerable 

RDE 

Unknown 

Bank(s) 

D 

Unkno 

wn 

28 

Vulnerable 

RDE 

2  Keyloggers:  “hkcmd.exe” 
and  “winupd.exe”;  2  RAM 
scrapers: 

“sr.exe’’/’’searcher.dir’  and 
“mmon.exe” 

Private 

Forensic 

Company 

A 

9 

months 

29 

Unknown 

Perfect  Keylogger 

Bank(s) 

A,D 

c. 

4month 

s 

30 

No  firewall; 

vulnerable 

RDE 

2  Keyloggers:  “Perfect 
Keylogger”  and  “Ardamax” 

Bank(s) 

3,600 

cards 

20 

months 

31 

No  firewall; 

vulnerable 

RDE 

Perfect  Keylogger 

Data  from 

another 

criminal 

case 

A 

17 

months 

45 


32 

Unknown 

Perfect  Keylogger 

Data  from 

another 

criminal 

case 

A 

8 

months 

33 

Unknown 

“Ardamax”  keylogger  and 
“Infostealer.bancos  Trojan 

Data  from 

another 

criminal 

case 

A 

4 

months 

34 

Unknown 

Zero  day  or  custom 

Keylogger 

Data  from 

another 

criminal 

case 

A 

Unkno 

wn 

35 

Vulnerable 

RDE 

“Ardamax”  keylogger 

Data  from 

another 

criminal 

case 

Unknown 

16 

months 

Crimina 

1  intent 
may  be 
more 
focused 

on 

identity 

theft 

than 

payme 

nt  card 

fraud 

36 

Vulnerable 

RDE 

Unknown  but  “Ardamax” 
keylogger  suspected 

Data  from 
another 
criminal 
case 

Unknown 

1 

month 

Crimina 

1  intent 
may  be 
more 

focused 

on 

identity 

theft 

than 

payme 

nt  card 

fraud 

37 

Unknown 

Zero  day  or  custom 
keylogger 

TBD 

TBD 

4 

months 

38 

Unknown 

“Alghlp.exe”;  “Ntmpsvc.exe”; 
“Mcservice.exe” 

Bank(s) 

A 

3 

months 

39 

Business 
chain;  most 
franchises 
used  RDE 

All  victim  franchises  had 
some  combination  of 
“Sr.exe’T’Searcher.dH”; 
“Rdasrv.exe”;  and 
“Cardreconvl  .14.1 7_cracke 
d.exe”  on  their  systems 

TBD 

B 

TBD 
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40 

Unknown 

“Trojan  2-bot”  and 
unspecified  keylogger 

Bank(s) 

D 

Unkno 
wn  but 
fraud 
attempt 
s 

lasted 
for  2 
months 

POS 

vendor 

did 

some 

clean 

up 

before 

law 

enforce 

ment 

involve 

ment 

41 

Vulnerable 

RDE 

“Sr.exe”  and  “Searcher.dll” 

Bank(s) 

A 

1 

month 

42 

Vulnerable 

RDE 

“Zbot”  (aka  Zeus  Trojan); 
“Alina”  virus  (RAM  scraper) 

Bank(s) 

C 

1-3 

months 

Note  that  some  entries  with  “unknown”  data  are  recent  cases  in  which 
forensic  or  investigative  data  may  be  forthcoming.  In  others,  a  federal  prosecutor 
declined  further  consideration  of  the  case,  causing  law  enforcement  to  cease 
forensic  and  investigative  activities. 

“Vulnerable  RDE”  means  the  victim  used  a  default  installation  of  a  popular 
remote  desktop  environment,  usually  PC  Anywhere,  GoToMyPC,  LogMeIn,  or 
Microsoft  Remote  Desktop.  In  some  cases  the  victim  (business)  was  not  aware 
of  the  presence  of  the  remote  desktop  environment;  in  many  cases  the  remote 
desktop  environment  used  weak  passwords. 


Key  for  “Fraud  Loss  or  Number  of  Payment  Cards  Stolen”  column: 

A  -  Fewer  than  10,000  payment  cards  stolen 
B  -  10,001  -  25,000  payment  cards  stolen 
C  -  More  than  25,000  payment  cards  stolen 
D  -  Fraud  loss  less  than  $50,000 
E  -  Fraud  loss  between  $50,000  and  $250,000 
F  -  Fraud  loss  greater  than  $250,000 
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